Customer Notification and the Cost of Lost Data

It seems like we hear about hacked websites and stolen digital data more and more these days. It’s unquestionably a big headache to repair the damage done by hackers and get a website or server back up and running after an attack. What is often overlooked is the even bigger legal headache of complying with customer “notification” laws after a digital security breach.

California’s Civil Code §1798.82 is a good example of a customer “notification” law, and many other states have followed California by enacting similar laws. California Civil Code §1798.82 requires business to disclose any data breach involving California residents.

“Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

This law applies to any business keeping “personal" information about California residents, no matter where the website or server collecting the information is physically located. So, a company with a website accessible by California residents, sending advertisements into California, or selling a game in California must comply with this law, even if the business stores its customer information in a database outside of California.

The definition of "security breach" in the law is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” A security breach could be anything from a malicious hack to a misdirected email to a lost laptop. The expense of notifying customers about compromised data is the big reason that, on average, a lost or stolen laptop costs a business almost $50,000, according to a recent Intel-commissioned study.

The California law does not provide a specific timeframe to send notification to affected customers after a security breach, only that notification must be made "in the most expedient time possible and without unreasonable delay." Non-compliance with the notification requirement opens the door for affected customers to sue the business for damages. To mitigate this risk, customer “notification” laws should be carefully examined by all businesses that collect customer information, preferably before an actual breach occurs.

Lastly, just because a business follows the notification procedure under California Civil Code §1798.82, it won’t be immune from suit on other grounds. Customers affected by a security breach may still file lawsuits based in tort or other commercial causes of action.